CVE-2026-20897

CRITICAL 9.1

Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

CVSS Score

9.1

EPSS Score

0.4%

EPSS Percentile

29th

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

CWE	CWE-284 CWE-639
Vendor	gitea
Product	gitea open source git server
Published	Jan 22, 2026
Last Updated	Jun 27, 2026

Stay Ahead of the Next One

Get instant alerts for gitea gitea open source git server

Be the first to know when new critical vulnerabilities affecting gitea gitea open source git server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Gitea / Gitea Open Source Git Server

0 ≤ 1.25.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-gitea/gitea/security/advisories/GHSA-rrq5-r9h5-pc7c github.com: https://github.com/go-gitea/gitea/pull/36344 github.com: https://github.com/go-gitea/gitea/pull/36349 github.com: https://github.com/go-gitea/gitea/releases/tag/v1.25.4 blog.gitea.com: https://blog.gitea.com/release-of-1.25.4/ access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-20897 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2432204 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-20897.json

Credits

🔍 spingARbor